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MINIMUM COMUSEC STANDARDS 

A PHASED APPROATH 


0 step 1 : Setting of Initial Limiting Conditions (Completed November 1983) 

- SCI information systems only 

— 13 critical SCI information systems, initially 

Security upgrades to existing operational SCI information 
systems 

- Reducing or eliminating areas of greatest vulnerability 

— Inadequate access and authentication controls 
-- Inadequate system accountability, e.g., auditing, 
transactional analysis, monitoring, etc. 

— Inadequate dissemination and security labeling controls 
and management 

Security upgrades achievable in the 1985-1986 timeframe by use 
of market available products/services, by introduction of in- 
house procedures, and controls or by additional personnel 
resources (implies approval of needed funding) 
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0 Step 2 : Identification of Minimum SAFEGUARDS 


- The term “SAFEGUARDS" is used to specify a candidate set 
of COMPUSEC STAND/\RDS. In this sense, a "STANDARD" has an 
accepted formal meaning: a "SAFEGUARD," on the other hand is 
used as an informal designation of a definable security 
upgrade 

- 41 SAFEGU/\RDS were derived in the limited context of Step 1 , 
i.e., for achieving of needed security upgrades for the three 
areas of greatest vulnerability of the selected 13 critical 
SCI information systems. 

(Completed October 1983) 

- The 41 Minimum SAFEGUARDS initially identified by October 1983 
will be reduced to those achievable in the 1985-1986 timeframe 
to meet one of the specified limiting conditions of Step 1 . 
These 1985-1986 Minimum SAFEGUARDS will probably number about 
20 . 

(To be completed March 1983) 
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0 Step 3 : Recommendation of Candidate List of 1985 Minimum COMPUSEC Standards 

- The 1985 Candidate Minimum COMPUSEC Standards will be selected 
from the approximately 20 1985-1986 Minimum SAFE6U/\RDS and will 
be those aimed directly at alleviating the three most serious 
vulnerabilities identified in Step 1 and present in the 13 
critical SCI information systems. 

- The 1985 Candidate Minimum COMPUSEC Standards will be separated 
into: 

— 1) Mandatory COMPUSEC Standards 

— 2) Voluntary COMPUSEC Standards 

Only those standards which can be implemented, i.e., to which 
resources have been allocated can be proscribed as mandatory . 

All other standards will be designated voluntary . 

(To be completed July 1984) 

0 Step 4 : Establishing a COMPUSEC Standards Compliance and Coordination 
Process 


- This Step 4 proceeds in parallel with Steps 2, 3, 5 and 6. 
The first components of the process are needed to handle 
the promulgation of the candidate mandatory standards for 
comment by affected US Government and industry organizations 
(Step 5). 
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- DOD has a standards program formalized by regulation. 

The IC has no such formalized standards program. Since SCI 
COMPUSEC Standards must be set by the DCI so as to adequately 
provide for protection of sources, methods and intelligence 
content, an IC or NFIB COMPUSEC compliance and coordination 
process is needed to interface with or augment the DOD 
Standards Program. 

0 Step 5 ; Promulgation for Comment of Candidate 1985 Mandatory COMPUSEC 
Standards by the DCI/DDCI 

- Candidate standards, both mandatory and voluntary, may be 
established by consensus or edict. Consensus is more common 
for US Government standards with the possible exception of 
National Security-related standards. 

- General types of standards anticipated for COMPUSEC include; 

— 1) Documentation Standards 

— 2) Performance Standards 

— 3) Interface Standards 

-- 4) Protocol Standards 

— 5) Data Standards 

— 6) Software Program Standards 

— 7) Equipment Standards 
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Industry is particularly concerned with standards that lead 
to potential sole-source situations. 

Promulgation of candidate standards is always preceded by 
difficult decisions relative to issues resulting from con- 
siderations such as those just described. 

(To be initiated September 1984) 


0 Step 6 : Issuance of the First 1985 Mandatory and Voluntary COMPUSEC 
Standards by the DCI/DDCI 


- This step assumes an in-place standards compliance and 
coordination process. 


(To be initiated October 1984) 
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MINIMUM COMPUSEC STAND/\RDS 
A PHASED APPROACH 

DIAGRAMMED 


Nov 1983 Step 1 : Setting of Initial Jan. 1984 

Limiting Conditions 

Step 2 : Identification of 

Minimum SAFEGUARDS 

>/ 

Oct 1983 Part 1: First identification 

of 41 SAFEGUARDS 

Mar 1984 Part 2 : Delineation of a 1985- 

1986 Set of Minimum 
SAFEGUARDS 


Jul 1984 Step 3 : Recommendation of a 

Candidate List of 1983 
Minimum COMPUSEC 
Standards 

Sep 1984 Step 5; Promulgation for Comment 

of Candidate 1985 
Mandatory Standards 



Oct 1984 Step 6 : Issuance of First Oct 1984 

1985 Mandatory and 
Voluntary COMPUSEC 
Standards 


Establishing a 
COMPUSEC Standards 
Compliance and 
Coordination Process 
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